Counterexamples in Probabilistic LTL Model Checking for Markov Chains

Similar documents
Temporal logics and model checking for fairly correct systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Temporal logics and model checking for fairly correct systems

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Quantitative Verification

Defining Fairness. Paderborn, Germany

Markov Chains (Part 3)

Probabilistic verification and approximation schemes

Topics in Verification AZADEH FARZAN FALL 2017

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

Limiting Behavior of Markov Chains with Eager Attractors

3-Valued Abstraction-Refinement

IC3 and Beyond: Incremental, Inductive Verification

Chapter 4: Computation tree logic

Overview. overview / 357

Probabilistic Model Checking (1)

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Timo Latvala. March 7, 2004

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Games with Costs and Delays

Computation Tree Logic

The State Explosion Problem

On Model Checking Techniques for Randomized Distributed Systems. Christel Baier Technische Universität Dresden

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Alternating Time Temporal Logics*

Revisiting Synthesis of GR(1) Specifications

Information and Computation

Scenario Graphs and Attack Graphs

Ratio and Weight Objectives in Annotated Markov Chains

Lecture 2: Symbolic Model Checking With SAT

Daniele Varacca Imperial College London, UK Hagen Völzer Universität zu Lübeck, Germany. Abstract

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Perfect-information Stochastic Parity Games

Probabilistic model checking with PRISM

Lecture 11 Safety, Liveness, and Regular Expression Logics

A note on the attractor-property of infinite-state Markov chains

Symbolic Model Checking Property Specification Language*

A Counterexample Guided Abstraction-Refinement Framework for Markov Decision Processes

Verification of Probabilistic Systems with Faulty Communication

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Integrating Induction and Deduction for Verification and Synthesis

FAIRNESS FOR INFINITE STATE SYSTEMS

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

Controlling probabilistic systems under partial observation an automata and verification perspective

Infinite-Duration Bidding Games

Models for Efficient Timed Verification

SAT-Based Verification with IC3: Foundations and Demands

Lecture 24 Nov. 20, 2014

Synthesis weakness of standard approach. Rational Synthesis

Readings: Finish Section 5.2

Infinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University

On the Expressiveness and Complexity of ATL

Note that in the example in Lecture 1, the state Home is recurrent (and even absorbing), but all other states are transient. f ii (n) f ii = n=1 < +

Alternating nonzero automata

Significant Diagnostic Counterexamples in Probabilistic Model Checking

Lecture 9 Synthesis of Reactive Control Protocols

Chapter 6: Computation Tree Logic

Logic Model Checking

Solving Partial-Information Stochastic Parity Games

CHAPTER 7 FUNCTIONS. Alessandro Artale UniBZ - artale/

Alan Bundy. Automated Reasoning LTL Model Checking

Mathematical Induction

Abstractions and Decision Procedures for Effective Software Model Checking

The Planning Spectrum One, Two, Three, Infinity

Strategy Synthesis for Markov Decision Processes and Branching-Time Logics

ONR MURI AIRFOILS: Animal Inspired Robust Flight with Outer and Inner Loop Strategies. Calin Belta

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Automata and Reactive Systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

SAT-based Model Checking: Interpolation, IC3, and Beyond

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

Synthesis of Designs from Property Specifications

Model Checking Algorithms

Model Theory of Modal Logic Lecture 4. Valentin Goranko Technical University of Denmark

Value Iteration. 1 Introduction. Krishnendu Chatterjee 1 and Thomas A. Henzinger 1,2

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Automata-Theoretic LTL Model-Checking

Markov Chains CK eqns Classes Hitting times Rec./trans. Strong Markov Stat. distr. Reversibility * Markov Chains

6.045J/18.400J: Automata, Computability and Complexity Final Exam. There are two sheets of scratch paper at the end of this exam.

Overview. 1 Introduction. 2 Preliminary Background. 3 Unique Game. 4 Unique Games Conjecture. 5 Inapproximability Results. 6 Unique Game Algorithms

THE CANTOR GAME: WINNING STRATEGIES AND DETERMINACY. by arxiv: v1 [math.ca] 29 Jan 2017 MAGNUS D. LADUE

Deciding Safety and Liveness in TPTL

Multiagent Systems and Games

Lecture 9 Classification of States

Automatic Synthesis of Distributed Protocols

Stochastic Model Checking

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Optimal Control of Markov Decision Processes with Temporal Logic Constraints

Verification Using Temporal Logic

Automata-based Verification - III

Model Checking Games for a Fair Branching-Time Temporal Epistemic Logic

A tableau-based decision procedure for a branching-time interval temporal logic

arxiv: v2 [cs.lo] 22 Jul 2017

A General Testability Theory: Classes, properties, complexity, and testing reductions

Probabilistic model checking with PRISM

ECE-517: Reinforcement Learning in Artificial Intelligence. Lecture 4: Discrete-Time Markov Chains

STOCHASTIC TIMED AUTOMATA

Transcription:

Counterexamples in Probabilistic LTL Model Checking for Markov Chains Matthias Schmalz 1 Daniele Varacca 2 Hagen Völzer 3 1 ETH Zurich, Switzerland 2 PPS - CNRS & Univ. Paris 7, France 3 IBM Research Zurich, Switzerland September 1st, 2009 Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 1 / 24

Probabilistic Model Checking Σ Φ P [Φ] > t? t Σ: discrete-time finite-state Markov chain Φ: linear-time temporal logic (LTL) formula Yes No One of the most important advantages of model checking... is its counterexample facility. (Clarke et al.) Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 2 / 24

Contributions a way of representing counterexamples in probabilistic LTL model checking a method supporting the user in finding the error algorithms for computing our counterexample representations Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 3 / 24

Terminology System (Markov chain) Σ: 0.7 0.4 s q p r 0.3 1 1 0.6 Notion: Example: Path x Property Y s q p r p r... spr (set of paths with prefix spr) Sat( r) (set of paths infinitely often visiting r) Transition probabilities are positive. Paths are infinite. Properties are sets of paths. Probability of a property: P [spr ] = 0.7 0.4. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 4 / 24

Quantitative and Qualitative Quantitative Probabilistic Model Checking: Σ Yes Φ P [Φ] > t? t No Qualitative Probabilistic Model Checking: Σ Yes P [Φ] = 1? Φ No Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 5 / 24

Outline Qualitative Counterexamples Other Results Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 6 / 24

Validity: Counterexample Specification: The model checker claims: Counterexample: AΦ Σ AΦ a path violating Φ The user finds the bug by inspecting the counterexample. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 7 / 24

Satisfiability: Simulation Specification: The model checker claims: Counterexample: E jackpot Σ E jackpot set of all paths of Σ (useless) How to find the bug? The user defined Σ and Φ. He has an idea how to reach the jackpot. The user tries to reach the jackpot. The user finds the bug by simulating the system. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 8 / 24

Probabilistic Correctness: Interaction Validity Probabilistic Satisfiability Correctness Σ AΦ P [Φ] = 1 Σ EΦ Counterexample: Interaction: Simulation: mc creates both create user creates a path. a path. a path. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 9 / 24

Our Approach Question: Why is P [Φ] < 1? Counterexample: a property Y with 1. Y Sat(Φ) =, 2. P [Y ] > 0. all paths Y Sat(Φ) Interaction: The user learns why 1 and 2 hold. Helps the user find a bug. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 10 / 24

An Example System Σ: 0.5 0.5 1 0.3 1 t... 0.4 0.3 s q p r 0.5 0.5 P [Φ] = 1 is independent of precise transition probabilities! only depends on which states are connected by a transition. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 11 / 24

An Example System Σ: t... s q p r P [Φ] = 1 is independent of precise transition probabilities! only depends on which states are connected by a transition. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 11 / 24

An Example System Σ: t... s q p r Bug: transition t q is missing Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 11 / 24

An Example System Σ: t... s q p r I will... give a specification Φ, give a counterexample Y in our representation, explain the interaction helping the user find the bug. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 11 / 24

Finitary Counterexamples Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r Try a finitary counterexample, e.g., Y := sp. Y Sat(Φ), as spp ω Y Sat(Φ). Y is no counterexample. Moreover: there is no finitary counterexample! Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 12 / 24

Beyond Finitary Counterexamples Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r Counterexample: Y := sp Sat( rr) Y Sat(Φ) sp Sat( q) =. rr belongs to a bscc reachable after sp. Hence, P [Y ] = P [sp ] > 0. Y is a counterexample. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 13 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r The model checker outputs Y := sp Sat( rr) and explains: 1. rr is in a bscc reachable after sp. 2. Y Sat(Φ) =. P [Φ] < 1. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r The model checker outputs Y := sp Sat( rr) and explains: 1. rr is in a bscc reachable after sp. 2. Y Sat(Φ) =. P [Φ] < 1. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r The model checker outputs Y := sp Sat( rr) and explains: 1. rr is in a bscc reachable after sp. 2. Y Sat(Φ) =. P [Φ] < 1. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r The model checker outputs Y := sp Sat( rr) and explains: 1. rr is in a bscc reachable after sp. 2. Y Sat(Φ) =.??? P [Φ] < 1. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r Y := sp Sat( rr) Why is Y Sat(Φ) =? User and MC create a path x. MC ensures x Y. User aims for x Φ. By failing the user finds the bug! Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r Y := sp Sat( rr) Why is Y Sat(Φ) =? User and MC create a path x. MC ensures x Y. User aims for x Φ. By failing the user finds the bug! s p Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r Y := sp Sat( rr) Why is Y Sat(Φ) =? User and MC create a path x. MC ensures x Y. User aims for x Φ. By failing the user finds the bug! s p t q Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finding the Bug Specification: Φ := rr q Question: Why is P [Φ] < 1? Σ: t... s q p r Y := sp Sat( rr) Why is Y Sat(Φ) =? User and MC create a path x. MC ensures x Y. User aims for x Φ. By failing the user finds the bug! s p t q Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 14 / 24

Finite Path Leading to a Recurrent Word Definition Recurrent word := finite path fragment belonging to a bscc A finite path α The bscc of γ is (almost surely) leads to the only bscc a recurrent word γ λ. reachable after α.... γ α... Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 15 / 24

Qualitative Counterexamples Question: Why is P [Φ] < 1? Counterexample: Y := α Sat( γ), where 1. γ recurrent 2. α (almost surely) leads to γ 3. Y Sat(Φ) = Theorem (Soundness) (a) 1, 2 = P [ γ α ] = 1 and hence P [Y ] > 0 (b) 1, 2, 3 = P [Φ α ] = 0 and hence P [Φ] 1 P [α ] < 1 α explains how much probability is lost. α explains where the probability is lost. γ explains why the probability is lost. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 16 / 24

Qualitative Counterexamples Question: Why is P [Φ] < 1? Counterexample: Y := α Sat( γ), where 1. γ recurrent 2. α (almost surely) leads to γ 3. Y Sat(Φ) = Theorem (Soundness) (a) 1, 2 = P [ γ α ] = 1 and hence P [Y ] > 0 (b) 1, 2, 3 = P [Φ α ] = 0 and hence P [Φ] 1 P [α ] < 1 α explains how much probability is lost. α explains where the probability is lost. γ explains why the probability is lost. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 16 / 24

Qualitative Counterexamples Question: Why is P [Φ] < 1? Counterexample: Y := α Sat( γ), where 1. γ recurrent 2. α (almost surely) leads to γ 3. Y Sat(Φ) = Theorem (Soundness) (a) 1, 2 = P [ γ α ] = 1 and hence P [Y ] > 0 (b) 1, 2, 3 = P [Φ α ] = 0 and hence P [Φ] 1 P [α ] < 1 α explains how much probability is lost. α explains where the probability is lost. γ explains why the probability is lost. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 16 / 24

Qualitative Counterexamples Question: Why is P [Φ] < 1? Counterexample: Y := α Sat( γ), where 1. γ recurrent 2. α (almost surely) leads to γ 3. Y Sat(Φ) = Theorem (Soundness) (a) 1, 2 = P [ γ α ] = 1 and hence P [Y ] > 0 (b) 1, 2, 3 = P [Φ α ] = 0 and hence P [Φ] 1 P [α ] < 1 α explains how much probability is lost. α explains where the probability is lost. γ explains why the probability is lost. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 16 / 24

Qualitative Counterexamples Question: Why is P [Φ] < 1? Counterexample: Y := α Sat( γ), where 1. γ recurrent 2. α (almost surely) leads to γ 3. Y Sat(Φ) = Theorem (Completeness) P [Φ] < 1 = there are α, γ such that 1, 2, 3 hold. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 16 / 24

Interaction Conditions 1, 2, 3 can be expressed in terms of path games between the user and the model checker. Condition i holds the model checker has a winning strategy in the respective path game. To understand why a condition holds, the user plays the respective path game against the model checker. By losing the user finds the error in the system. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 17 / 24

Interaction Disjointness Y Sat(Φ) = The path game: The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Interaction Disjointness Y Sat(Φ) = The path game: x = α The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Interaction Disjointness Y Sat(Φ) = The path game: x = α The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Interaction Disjointness Y Sat(Φ) = The path game: x = α γ The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Interaction Disjointness Y Sat(Φ) = The path game: x = α γ The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Interaction Disjointness Y Sat(Φ) = The path game: x = α γ γ γ The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Interaction Disjointness Y Sat(Φ) = The path game: x = α γ γ γ Φ The model checker ensures x Y. The user wins iff x Φ. The model checker has a winning strategy The user is unable to establish x Φ Y Sat(Φ) = The game corresponds to the Banach-Mazur game. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 18 / 24

Outline Qualitative Counterexamples Other Results Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 19 / 24

Quantitative Counterexamples Quantitative Counterexample: Y := W Fair Σ (R) W : set of finite paths R: set of recurrent words Y Sat(Φ) =, P [Y ] sufficiently large Theorem (Soundness) P [Φ] 1 P [W ] P [Φ W ] = 0 Theorem (Completeness) P [Φ] 1 t = There is a counterexample W Fair Σ (R), where R contains one rec. word per bscc, and W is regular. Interaction: as W is regular, various techniques from the literature can be applied for presenting W to the user. Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 20 / 24

Computing Counterexamples We have developed non-trivial extensions of an algorithm of Courcoubetis and Yannakakis (1995). Complexity in Σ Complexity in Φ α, γ Σ exonential α of max. probability Σ log Σ doubly exp. W Σ doubly exp. R Σ #bsccs exponential Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 21 / 24

Summary A qualitative counterexample can be represented as α Sat( γ). A quantitative counterexample can be represented as W Fair Σ (R), where W is regular. We describe an interactive game that supports the user in finding the error. We have developed algorithms computing our counterexample representations. Future directions: Generalize results for Markov Decision Processes. Case studies Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 22 / 24

Appendix Periodic Counterexamples 0.7 0.3 1 0.4 s q p r 1 0.6 Each periodic path has probability zero, e.g., P [{s(pr) ω }] = 0. The set of all periodic paths is countable. The set of all periodic paths has probability zero. Sets of periodic paths can in general not be used as counterexamples! Counterexamples in Probabilistic LTL Model Checking for Markov Chains Schmalz, Varacca, Völzer 24 / 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback